From 43bbfb4ec62f13768fbd474263cf5497905a3bed Mon Sep 17 00:00:00 2001 From: Tobias Eidelpes Date: Tue, 14 Jun 2022 11:02:07 +0200 Subject: [PATCH] Add solution for 1a --- exam/ex.tex | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/exam/ex.tex b/exam/ex.tex index a8fb389..af036f8 100644 --- a/exam/ex.tex +++ b/exam/ex.tex @@ -35,7 +35,27 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \item \textbf{(18 points)} \begin{enumerate} - \item + + \item EWCDM stands for \emph{Encrypted Wegman-Carter with Davies-Meyer}. As + the name implies, EWCDM is based on a Wegman-Carter construction which + takes the hash of a message $M$ and XORes it with the application of a + pseudorandom function (PRF) to a nonce $N$. This construction is very + efficient and also has a strong security bound. However, it is very + vulnerable to \emph{nonce-misuse}. To deal with that problem, the + Wegman-Carter construction is wrapped by another call to the PRF with a + different key. Another disadvantage is the fact that PRFs are hard to get + by and instead pseudorandom permutations are used. If a pseudorandom + permutation (i.e. block cipher) is used, the security bound of the + construction drops to the birthday bound ($2^{n/2}$). The authors replace + the inner call to the PRF with the \emph{Davies-Meyer} construction + \[ \mathrm{DM}[E]_K(N) = E_K(N)\oplus N \] + and then encrypt that (with the hashed message) in another call to the + block cipher. The resulting EWCDM construction looks like this + \[ E_{K'}(E_K(N)\oplus N\oplus H_{K_h}(M)) \] + and is secure \emph{beyond} the birthday bound against nonce-respecting + adversaries while still offering birthday bound security against + nonce-misusing adversaries. + \item The type of symmetric cryptographic scheme introduced is a Message Authentication Code (MAC). \item \TODO